concat-map MIT 3 versions

concat-map

npm Repository Homepage

concatenative mapdashery

Versions

MIT

License

Install Scripts

Missing

Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

substackljharbnopersonsmodules

Keywords

concatconcatMapmapfunctionalhigher-order

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
npm-metadata	suspicious-initial-version	AI (npm-metadata): concat-map is a 13+ year old legitimate package by substack (James Halliday). Version 0.0.0 reflects early npm ecosystem conventions, not malicious intent.	ai	2026/04/22
provenance	no-provenance	AI (provenance): Package predates Sigstore provenance by many years; absence is expected and not a risk signal for this package.	ai	2026/04/22
provenance	publisher-changed	AI (provenance): Publisher change from substack to ljharb is a well-documented legitimate stewardship transfer; ljharb is a trusted, prolific npm maintainer with consistent metadata across this package.	ai	2026/04/22
maintainer-change	maintainer-added	AI (maintainer-change): ljharb and nopersonsmodules are known maintainers in ljharb's ecosystem; addition reflects legitimate transfer from substack, not a compromise.	ai	2026/04/22
publish-pattern	dormant-publish	AI (publish-pattern): Dormancy reflects original substack abandonment; ljharb resuming maintenance is the expected explanation given consistent repo/funding metadata.	ai	2026/04/22

Versions (showing 3 of 3)

Version	Deps	Published
0.0.2	0 / 8	2022-10-12
0.0.1	0 / 1	2014-01-30
0.0.0	0 / 1	2012-06-08